dracut-057-43.git20230816

Resolves: #2158155,#2176560
This commit is contained in:
Pavel Valena 2023-08-16 20:45:21 +02:00
parent a5ba84ec9e
commit ffffb5b27f
6 changed files with 197 additions and 10 deletions

41
0038.patch Normal file
View File

@ -0,0 +1,41 @@
From abc03e87ef3dff517c1da05643e8a5ec92b1bf14 Mon Sep 17 00:00:00 2001
From: Lukas Nykryn <lnykryn@redhat.com>
Date: Mon, 14 Aug 2023 10:24:14 +0200
Subject: [PATCH] feat(spec): include modules for IMA
Resolves: #2158155
---
pkgbuild/dracut.spec | 9 ---------
1 file changed, 9 deletions(-)
diff --git a/pkgbuild/dracut.spec b/pkgbuild/dracut.spec
index e148bbf7..b2d75951 100644
--- a/pkgbuild/dracut.spec
+++ b/pkgbuild/dracut.spec
@@ -214,13 +214,6 @@ rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/modules.d/00dash
# we do not support mksh in the initramfs
rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/modules.d/00mksh
-%if %{defined _unitdir}
-# with systemd IMA and selinux modules do not make sense
-rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/modules.d/96securityfs
-rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/modules.d/97masterkey
-rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/modules.d/98integrity
-%endif
-
%ifnarch s390 s390x
# remove architecture specific modules
rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/modules.d/80cms
@@ -394,11 +387,9 @@ echo 'dracut_rescue_image="yes"' > $RPM_BUILD_ROOT%{dracutlibdir}/dracut.conf.d/
%{dracutlibdir}/modules.d/95zfcp
%{dracutlibdir}/modules.d/95zfcp_rules
%endif
-%if %{undefined _unitdir}
%{dracutlibdir}/modules.d/96securityfs
%{dracutlibdir}/modules.d/97masterkey
%{dracutlibdir}/modules.d/98integrity
-%endif
%{dracutlibdir}/modules.d/97biosdevname
%{dracutlibdir}/modules.d/98dracut-systemd
%{dracutlibdir}/modules.d/98ecryptfs

24
0039.patch Normal file
View File

@ -0,0 +1,24 @@
From aaffb39dc86b674501cb447c7fef5dd40aad85fb Mon Sep 17 00:00:00 2001
From: Lukas Nykryn <lnykryn@redhat.com>
Date: Mon, 14 Aug 2023 11:25:19 +0200
Subject: [PATCH] fix(dracut): there can be \ at the end on line in awk script
Related: #2158155
---
dracut.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/dracut.sh b/dracut.sh
index 1ff51bb1..30dfb229 100755
--- a/dracut.sh
+++ b/dracut.sh
@@ -2592,7 +2592,7 @@ if [[ $uefi == yes ]]; then
printf "%s " "$(< "$conf")" >> "$uefi_outdir/cmdline.txt"
done
fi
-
+ # shellcheck disable=SC1004
offs=$(objdump -h "$uefi_stub" 2> /dev/null | gawk 'NF==7 {size=strtonum("0x"$3);\
offset=strtonum("0x"$4)} END {print size + offset}')
if [[ $offs -eq 0 ]]; then

24
0040.patch Normal file
View File

@ -0,0 +1,24 @@
From 9c1c19de50de5dba6d0875425539cb9259dd7451 Mon Sep 17 00:00:00 2001
From: Lukas Nykryn <lnykryn@redhat.com>
Date: Mon, 14 Aug 2023 12:37:33 +0200
Subject: [PATCH] fix(rngd): spacing
Related: #2158155
---
modules.d/06rngd/module-setup.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/modules.d/06rngd/module-setup.sh b/modules.d/06rngd/module-setup.sh
index 66923a38..1e5f0eb9 100644
--- a/modules.d/06rngd/module-setup.sh
+++ b/modules.d/06rngd/module-setup.sh
@@ -35,7 +35,7 @@ install() {
inst_simple "${systemdsystemunitdir}/rngd.service"
if [ -r /etc/sysconfig/rngd ]; then
- inst_simple "${moddir}/sysconfig" "/etc/sysconfig/rngd"
+ inst_simple "${moddir}/sysconfig" "/etc/sysconfig/rngd"
fi
# make sure dependant libs are installed too

49
0041.patch Normal file
View File

@ -0,0 +1,49 @@
From 9d2a3df5453001612b225c7423451f6e02e06c19 Mon Sep 17 00:00:00 2001
From: Alberto Planas <aplanas@suse.com>
Date: Mon, 20 Jun 2022 17:13:19 +0200
Subject: [PATCH] fix(integrity): do not enable EVM if there is no key
Track when a key is successfully loaded, and return 1 if no key has been
loaded. This will not enable EVM if there are no keys available in the
system.
Fix #1847
Signed-off-by: Alberto Planas <aplanas@suse.com>
(Cherry-picked commit: 90585c624af15ba0abb7f32b0c2afc2b122dd019)
Related: #2158155
---
modules.d/98integrity/evm-enable.sh | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/modules.d/98integrity/evm-enable.sh b/modules.d/98integrity/evm-enable.sh
index 0abdfb80..913b5f12 100755
--- a/modules.d/98integrity/evm-enable.sh
+++ b/modules.d/98integrity/evm-enable.sh
@@ -99,6 +99,7 @@ load_evm_x509() {
fi
# load the default EVM public key onto the EVM keyring along
# with all the other ones in $EVMKEYSDIR
+ local key_imported=1
for PUBKEY in ${EVMX509PATH} "${NEWROOT}${EVMKEYSDIR}"/*; do
if [ ! -f "${PUBKEY}" ]; then
if [ "${RD_DEBUG}" = "yes" ]; then
@@ -110,13 +111,14 @@ load_evm_x509() {
info "integrity: failed to load the EVM X509 cert ${PUBKEY}"
return 1
fi
+ key_imported=0
done
if [ "${RD_DEBUG}" = "yes" ]; then
keyctl show @u
fi
- return 0
+ return ${key_imported}
}
unload_evm_key() {

46
0042.patch Normal file
View File

@ -0,0 +1,46 @@
From ecc17a2cd574b31ce6f95f5a7d8ee6c62ecbb51b Mon Sep 17 00:00:00 2001
From: Pavel Valena <pvalena@redhat.com>
Date: Wed, 16 Aug 2023 14:02:51 +0200
Subject: [PATCH] fix(fips): include openssl's fips.so and openssl.cnf
Resolves: #2176560
---
modules.d/01fips/module-setup.sh | 13 +++++++++++++
modules.d/01fips/openssl.cnf | 7 +++++++
2 files changed, 20 insertions(+)
diff --git a/modules.d/01fips/module-setup.sh b/modules.d/01fips/module-setup.sh
index cc9d15ce..7ff5e640 100755
--- a/modules.d/01fips/module-setup.sh
+++ b/modules.d/01fips/module-setup.sh
@@ -82,4 +82,17 @@ install() {
dfatal "To create an initramfs with fips support, dracut has to run as root"
return 1
}
+
+ # if we have openssl we need to install their fips library and configuration
+ [ -x /usr/bin/openssl ] && {
+ read -r _ conf < <(openssl version -d)
+ conf=${conf#\"}
+ conf=${conf%\"}
+ inst_simple "${moddir}/openssl.cnf" "$conf/openssl.cnf"
+
+ read -r _ mod < <(openssl version -m)
+ mod=${mod#\"}
+ mod=${mod%\"}
+ inst_simple "$mod/fips.so"
+ }
}
diff --git a/modules.d/01fips/openssl.cnf b/modules.d/01fips/openssl.cnf
new file mode 100644
index 00000000..ee9adcf0
--- /dev/null
+++ b/modules.d/01fips/openssl.cnf
@@ -0,0 +1,7 @@
+openssl_conf = openssl_init
+[openssl_init]
+providers = provider_sect
+[provider_sect]
+default = default_sect
+[default_sect]
+activate = 1

View File

@ -5,7 +5,7 @@
# strip the automatically generated dep here and instead co-own the # strip the automatically generated dep here and instead co-own the
# directory. # directory.
%global __requires_exclude pkg-config %global __requires_exclude pkg-config
%define dist_free_release 38.git20230725 %define dist_free_release 43.git20230816
Name: dracut Name: dracut
Version: 057 Version: 057
@ -66,6 +66,11 @@ Patch34: 0034.patch
Patch35: 0035.patch Patch35: 0035.patch
Patch36: 0036.patch Patch36: 0036.patch
Patch37: 0037.patch Patch37: 0037.patch
Patch38: 0038.patch
Patch39: 0039.patch
Patch40: 0040.patch
Patch41: 0041.patch
Patch42: 0042.patch
Source1: https://www.gnu.org/licenses/lgpl-2.1.txt Source1: https://www.gnu.org/licenses/lgpl-2.1.txt
@ -252,13 +257,6 @@ rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/modules.d/00dash
# we do not support mksh in the initramfs # we do not support mksh in the initramfs
rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/modules.d/00mksh rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/modules.d/00mksh
%if %{defined _unitdir}
# with systemd IMA and selinux modules do not make sense
rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/modules.d/96securityfs
rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/modules.d/97masterkey
rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/modules.d/98integrity
%endif
%ifnarch s390 s390x %ifnarch s390 s390x
# remove architecture specific modules # remove architecture specific modules
rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/modules.d/80cms rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/modules.d/80cms
@ -432,11 +430,9 @@ echo 'dracut_rescue_image="yes"' > $RPM_BUILD_ROOT%{dracutlibdir}/dracut.conf.d/
%{dracutlibdir}/modules.d/95zfcp %{dracutlibdir}/modules.d/95zfcp
%{dracutlibdir}/modules.d/95zfcp_rules %{dracutlibdir}/modules.d/95zfcp_rules
%endif %endif
%if %{undefined _unitdir}
%{dracutlibdir}/modules.d/96securityfs %{dracutlibdir}/modules.d/96securityfs
%{dracutlibdir}/modules.d/97masterkey %{dracutlibdir}/modules.d/97masterkey
%{dracutlibdir}/modules.d/98integrity %{dracutlibdir}/modules.d/98integrity
%endif
%{dracutlibdir}/modules.d/97biosdevname %{dracutlibdir}/modules.d/97biosdevname
%{dracutlibdir}/modules.d/98dracut-systemd %{dracutlibdir}/modules.d/98dracut-systemd
%{dracutlibdir}/modules.d/98ecryptfs %{dracutlibdir}/modules.d/98ecryptfs
@ -524,6 +520,13 @@ echo 'dracut_rescue_image="yes"' > $RPM_BUILD_ROOT%{dracutlibdir}/dracut.conf.d/
%{_prefix}/lib/kernel/install.d/51-dracut-rescue.install %{_prefix}/lib/kernel/install.d/51-dracut-rescue.install
%changelog %changelog
* Wed Aug 16 2023 Pavel Valena <pvalena@redhat.com> - 057-43.git20230816
- feat(spec): include modules for IMA
- fix(dracut): there can be \ at the end on line in awk script
- fix(rngd): spacing
- fix(integrity): do not enable EVM if there is no key
- fix(fips): include openssl's fips.so and openssl.cnf
* Tue Jul 25 2023 Pavel Valena <pvalena@redhat.com> - 057-38.git20230725 * Tue Jul 25 2023 Pavel Valena <pvalena@redhat.com> - 057-38.git20230725
- fix(dracut.sh): use dynamically uefi's sections offset - fix(dracut.sh): use dynamically uefi's sections offset
- fix(dracut.sh): handle imagebase for uefi - fix(dracut.sh): handle imagebase for uefi